Massive HIPAA breach linked to Heartbleed bug highlights huge security risk facing healthcare sector, expert says
A historically large data breach at Community Health Systems has been linked to the infamous Heartbleed bug, which could lead to a “tipping point” in how healthcare providers approach data storage and security, according to Forbes contributor Dan Munro.
CHS revealed in late August that it had experienced a data breach affecting the personal information of 4.5 million patients of the large hospital chain. Since then, forensic investigators have linked the breach to Heartbleed, a notorious security flaw that came to light last spring and may have affected more than a million web servers.
Heartbleed affected a type of free software known as “open source,” Munro noted in a Forbes column that first appeared Monday. Open source software is widely used by many large organizations; this practice is not “inherently wrong” but does pose a “higher risk” because open-source software does not come with any type of warranty, Munro wrote. A pending class-action lawsuit against CHS could address whether it is negligent for healthcare providers to use open-source software to safeguard patient data protected by the Health Insurance Portability and Accountability Act, Munro surmised.
The lessons of the CHS breach go beyond the use of open-source software, he emphasized. The attacker has been traced to a group in China, underscoring that healthcare providers now have to worry not only about “lone hackers” but large groups that sometimes are state-sponsored. Healthcare providers tend to under fund cybersecurity and “downplay the importance of IT infrastructure,” Munro noted. He argued that these latest developments should spur them to consider more sophisticated security being offered by tech startups focused specifically on the sector.